09 February 2017
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.0376 Cisco ASA Clientless SSL VPN CIFS Heap Overflow Vulnerability 9 February 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Adaptive Security Appliance Publisher: Cisco Systems Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-3807 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170208-asa - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Security Advisory Cisco ASA Clientless SSL VPN CIFS Heap Overflow Vulnerability High Advisory ID: cisco-sa-20170208-asa First Published: 2017 February 8 16:00 GMT Last Updated: 2017 February 8 16:57 GMT Version 1.1: Final Workarounds: Yes Cisco Bug IDs: CSCvc23838 CVE-2017-3807 CWE-119 CVSS Score: Base 8.8, Temporal 8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X CVE-2017-3807 CWE-119 Summary A vulnerability in Common Internet Filesystem (CIFS) code in the Clientless SSL VPN functionality of Cisco ASA Software could allow an authenticated, remote attacker to cause a heap overflow. The vulnerability is due to insufficient validation of user supplied input. An attacker could exploit this vulnerability by sending a crafted URL to the affected system. An exploit could allow the remote attacker to cause a reload of the affected system or potentially execute code. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 or IPv6 traffic. A valid TCP connection is needed to perform the attack. The attacker needs to have valid credentials to log in to the Clientless SSL VPN portal. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170208-asa Affected Products Vulnerable Cisco ASA Software running on the following products may be affected by this vulnerability: Cisco ASA 5500 Series Adaptive Security Appliances Cisco ASA 5500-X Series Next-Generation Firewalls Cisco Adaptive Security Virtual Appliance (ASAv) Cisco ASA for Firepower 9300 Series Cisco ASA for Firepower 4100 Series Cisco ISA 3000 Industrial Security Appliance Refer to the "Fixed Software" section of this security advisory for more information about the affected releases. Vulnerable Products Cisco ASA Software is affected by this vulnerability if the Clientless SSL VPN portal is enabled. To determine whether the Clientless SSL VPN portal is enabled, the administrator can verify the following: webvpn is enabled on at least one interface. The group policy includes the ssl-clientless option configured in the vpn-tunnel-protocol command. To determine whether webvpn is enabled, use the show running-config webvpn command. The following example shows a Cisco ASA with the Clientless SSL VPN portal enabled on the outside interface: ciscoasa# show running-config webvpn webvpn enable outside [...] To determine whether the ssl-clientless option is configured in the vpn-tunnel-protocol command, use the show running-config group-policy <group policy name> attributes | include vpn-tunnel-protocol command. The following example shows a policy called Clientless with ssl-clientless option configured the vpn-tunnel-protocol command. ciscoasa# show running-config group-policy Clientless attributes | include vpn-tunnel-protocol vpn-tunnel-protocol ssl-client ssl-clientless If the vpn-tunnel-protocol command options are not specified in the group policy, Cisco ASA inherits the options from the default group policy called DfltGrpPolicy. By default, the DfltGrpPolicy has the ssl-clientless option enabled. Note: Cisco ASA configured with a Cisco AnyConnect Essential license is not affected by this vulnerability. Determining the Running Software Version To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can use the show version command. The following example shows the results of the show version command on an appliance running Cisco ASA Software version 9.2(1): ciscoasa# show version | include Version Cisco Adaptive Security Appliance Software Version 9.2(1) Device Manager Version 7.4(1) Customers who use Cisco Adaptive Security Device Manager (ASDM) to manage devices can locate the software version in the table that appears in the login window or the upper-left corner of the Cisco ASDM window. Products Confirmed Not Vulnerable Cisco Firepower Threat Defense Software is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Workarounds It is possible to block the offending URL using a webtype access list, which can be performed using the following steps: 1. Configure the webtype access list: access-list bugCSCvc23838 webtype deny url https://<asa_ip_address>/+webvpn+/CIFS_R/* access-list bugCSCvc23838 webtype permit url https://* access-list bugCSCvc23838 webtype permit url cifs://* The second and third access-list will allow any other HTTPS and CIFS traffic. Administrator should review their configuration and adapt this access list based on their access policy. 2. Apply the access list in the group policy with the filter value <webtype acl name> command: group-policy Clientless attributes webvpn filter value bugCSCvc23838 Fixed Software In the following table, the left column lists major releases of Cisco ASA Software. The right column indicates whether a major release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. Cisco ASA Major Release First Fixed Release Prior to 9.0^1 Affected, migrate to 9.1(7.13) or later 9.0 Affected, migrate to 9.1(7.13) or later 9.1 9.1(7.13) or later 9.2 Affected, migrate to 9.4(4) or later 9.3 Affected, migrate to 9.4(4) or later 9.4 9.4(4) or later 9.5 Affected, migrate to 9.6(2.10) or later 9.6 9.6(2.10) or later 9.7 Not affected  Cisco ASA Software releases prior to 9.1 and Cisco ASA release 9.3 have reached End of Software Maintenance. Customers should migrate to a supported release.  A fixed for Cisco ASA Software releases 9.2 and 9.5 will be available in April 2017. Exploitation and Public Announcements The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source This vulnerability was reported to Cisco by Oliver Chang, from Google Project Zero. Cisco Security Vulnerability Policy To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170208-asa Revision History Version Description Section Status Date 1.1 Updated table in Fixed Fixed Final 2017-February-08 Software. Software 1.0 Initial public release. Final 2017-February-08 Legal Disclaimer THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. Cisco Security Vulnerability Policy To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWJviD4x+lLeg9Ub1AQjADg/+J9uOCWLXFmylcRTRqapMHKsr5/FXZuHA Ev0fhT60T4Ea7HDBXHvfc6CgRnWCLEu6OgKy4RyR3zvXwFmENI5xFc1v1Se1dUjs M2Oh/SOHxPPMChcFE2S6A9KIMDjJyfPXe+V/JrAvtEPbHyv+fTXNuOJ/DzgoAInw 05726B5srZhhoV366iP5+tJTwwB3T0dgxFSDN2LoSRXlDDQhquUydSs/Xcjb66Ah NpIfp0ZVENqFYkd62cqoNU5qKTuCQr5D10Dy0dDyzZ6UD2L30vXCdyKoSrMVU5mn /SEO8nNzuo561gh+vVFKAPNUojrq4GsURXvTmV4JcYtLZU5NYCvyAxd3qbMFjJub CNPJtp2VAuI4eWpm5iVcb4dViAANyZA/Q1gv16ZtvvXdS7pMKAFsozfLXrNUAp5G iqxXLimTE3QOXge7uKRCsuDu80kahNOSBFOM3BUEj2tvrAEBnkhv0KC2IIOa9Q1c ZcD8Ha0PMBqCyZ4O0Q6Ek0UpyXoDXNKKL9SadRZWhkCK2iqOdP+mg/VjteEKXNqL aTRuRViRAipkydm6T4WChjbkLAAXf+RYw5KgaWeFx6oEE9i3566FJybjHsMI2evb MSgplZrQdpnBHi7K1qVqOlMNXT1zwwroMKV75o3t/QH24SkqXnnVq0VX9euYzde1 58Is6/SA2i8= =B6aT -----END PGP SIGNATURE-----